Realm required on challenges

[mnot@…]

p7 defers to RFC2617 for the definition of challenge.

RFC 2617, section 1.2 says:

challenge = auth-scheme 1*SP 1#auth-param ... The authentication parameter realm is defined for all authentication schemes:

realm = "realm" "=" realm-value realm-value = quoted-string

The realm directive (case-insensitive) is required for all authentication schemes that issue a challenge.

The interpretation being that challenges (which is what www- authenticate is defined as) MUST contain at least one parameter and that parameter MUST be a realm.

Is it truly necessary for all authentication schemes to include a 'realm' paramter? If so, it should be documented (e.g., in the section about extension authentication schemes).

[mnot@…]

Blocked until we actually take responsibility for this text in 2617...

[julian.reschke@…]

Proposal:

• make realm optional for schemes

Q:

• what about existing schemes? (for instance, Basic)?

[julian.reschke@…]

proposed change for p7

[julian.reschke@…]

From [1354]:

Realm is optional in new schemes (see #177)

[julian.reschke@…]

From [1385]:

note change on realm requirement in Changes section, fix ABNF for challenge not to insist on auth-params (see #177)